L4 Invalid flags

Invalid flag floods (ACK, FIN, RST, PSH, PSH-ACK)

Malformed variants of common TCP flags — same flag letter as valid floods but invalid_flag set. Useful for regression-testing IPS signatures after firmware updates.

How it works

Engarde ships Invalid ACK, Invalid FIN, Invalid RST, Invalid PSH, and Invalid PSHACK presets.
Each mirrors the valid flood but alters header integrity so parsers take different code paths.
Mitigation tuned only for volumetric valid-flag traffic may miss these.
Run one invalid preset at a time to attribute device behavior clearly in reports.

Packet flow (illustrative)

Valid flag floods vs. invalid_flag variants (same flag, bad header).

Engarde node Target

→TCP flags: F+P+UXmas

→ALL flags setnon-RFC

Parser / IPS path stress

Illustrative flow — not a live capture.

Presets Invalid A/F/R/P/PA

Engarde invalid_flag=true

Layer L4

What to watch in Engarde

IPS alert signature changes between valid and invalid runs.
CPU on inspection blades when invalid_flag traffic is forwarded.
Whether state tables grow for ACK-class invalid packets.

Running this simulation

Pick each Invalid * Flood preset sequentially; save reports with distinct names for before/after policy comparisons.

Mitigation perspective

Align drop rules for malformed TCP with vendor best practice; re-test after every IPS rule import.